Your message dated Sat, 16 May 2015 18:17:06 +0000 with message-id <e1ytge2-0006p9...@franck.debian.org> and subject line Bug#783451: fixed in libmodule-signature-perl 0.73-1+deb8u1 has caused the Debian Bug report #783451, regarding libmodule-signature-perl: CVE-2015-3406 CVE-2015-3407 CVE-2015-3408 CVE-2015-3409 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 783451: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783451 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libmodule-signature-perl Version: 0.73-1 Severity: grave Tags: security upstream fixed-upstream Hi, the following vulnerabilities were published for libmodule-signature-perl. CVE-2015-3406[0]: unsigned files interpreted as signed in some circumstances CVE-2015-3407[1]: arbitrary code execution during test phase CVE-2015-3408[2]: arbitrary code execution when verifying module signatures CVE-2015-3409[3]: arbitrary modules loading in some circumstances If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-3406 [1] https://security-tracker.debian.org/tracker/CVE-2015-3407 [2] https://security-tracker.debian.org/tracker/CVE-2015-3408 [3] https://security-tracker.debian.org/tracker/CVE-2015-3409 Please adjust the affected versions in the BTS as needed. p.s.: for the pkg-perl team: I planned to look into it for all needed versions, but if somebody beats me to it, just go ahead! Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libmodule-signature-perl Source-Version: 0.73-1+deb8u1 We believe that the bug you reported is fixed in the latest version of libmodule-signature-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 783...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libmodule-signature-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 14 May 2015 12:58:30 +0200 Source: libmodule-signature-perl Binary: libmodule-signature-perl Architecture: source all Version: 0.73-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: libmodule-signature-perl - module to manipulate CPAN SIGNATURE files Closes: 783451 Changes: libmodule-signature-perl (0.73-1+deb8u1) jessie-security; urgency=high . * Team upload. * Add CVE-2015-3406_CVE-2015-3407_CVE-2015-3408.patch patch. CVE-2015-3406: Module::Signature parses the unsigned portion of the SIGNATURE file as the signed portion due to incorrect handling of PGP signature boundaries. CVE-2015-3407: Module::Signature incorrectly handles files that are not listed in the SIGNATURE file. This includes some files in the t/ directory that would execute when tests are run. CVE-2015-3408: Module::Signature uses two argument open() calls to read the files when generating checksums from the signed manifest, allowing to embed arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process. (Closes: #783451) * Add CVE-2015-3409.patch patch. CVE-2015-3409: Module::Signature incorrectly handles module loading allowing to load modules from relative paths in @INC. A remote attacker providing a malicious module could use this issue to execute arbitrary code during signature verification. (Closes: #783451) * Add Fix-signature-tests.patch patch. Fix signature tests by defaulting to verify(skip=>1) when $ENV{TEST_SIGNATURE} is true. Checksums-Sha1: b6990c71af5da61b71d4bd4bca27098a2958a8b7 2267 libmodule-signature-perl_0.73-1+deb8u1.dsc 0bb005a69aae5f7f7511f5d6b1a61762bca27173 77407 libmodule-signature-perl_0.73.orig.tar.gz efa31256e138a422964ef3d542398651b4204d82 9228 libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz 2efa2008b111775f84e708f50af5a1cf5138ec9a 30370 libmodule-signature-perl_0.73-1+deb8u1_all.deb Checksums-Sha256: c6077564106e19aa7e3c467691b532e6ba3d816a2b3e616845366acd183ab58d 2267 libmodule-signature-perl_0.73-1+deb8u1.dsc 718520721888ac4a7d930e26c4cd628ca24d60b2b18bddb081b331731a94bbc5 77407 libmodule-signature-perl_0.73.orig.tar.gz 55f91aa141ce5ad92d91f7f09047d11ac6c2983cb23d1198204afb3a39aaefc4 9228 libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz edfa422b39a38c2d67defd43914e530c4bc6f180a62612977dd6117e209beb17 30370 libmodule-signature-perl_0.73-1+deb8u1_all.deb Files: 756f562f239e87355814b389af5746f7 2267 perl optional libmodule-signature-perl_0.73-1+deb8u1.dsc de27bbca948ba8a13a7f614414cb623d 77407 perl optional libmodule-signature-perl_0.73.orig.tar.gz 2e37f224f43f759c17572680a4260c14 9228 perl optional libmodule-signature-perl_0.73-1+deb8u1.debian.tar.xz c7e59f278e5e54b3643614501b67109b 30370 perl optional libmodule-signature-perl_0.73-1+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVVKKZAAoJEAVMuPMTQ89EICEP/3JQ27DwJqOrTr0ZmLSw89Lc GT2h3o5GsM21QDINGUzCinC8zliVF9lcx7hrIR1nNLPxpWarvR7TF2xGRLCvsoo7 n0l2ALVM5bok05eaLcL96fpiLIawT5iJcwq6HqZ+60FMZhEbKlk7EiLzrJQk5xfs x0IEdZPyh/pZarY7yPud+qFN6up8o4ydn4hwIcHt1z4A40mJodoJEGmjY5aFS1Rh OHza0dB4ZGC1xuovf4Nl34ng2xUjMltQyuCGGSBHob7a94FFawnj6qpULLTISlgI DJ1jFmg8N9w2JJ5Vjp6U+pQSUF3yUpYiR9/GIppuG617l/URgOzL0yIe0zqP03u+ rnXJ4a31lYxu1j48H7aU07oLisjqGcZrYAKKFLktdSkjZksqkl8Vb60b3quVtQDE Z1O1PI5cnWN93SKnFuO2yZuoiE0FfTZoLTEw1O0c6bfmzokij83dN3vQIUMbIzOy kwvSgE1/HCKnPVQUmxbMgLQ+/xTOeuTHHn8i/cuwdYxfpOYtMkQCq0qvhmyuOhrV ObHI8+5HPk4NHeMxqnryMCQzk/J/bStc22o4OnVAF7G7j3yhjrPPVPHtKU5iRNB6 SwNUTWOoeSf0Iuc6xhSYkSo7U6nBgzPK6O8loHOPcDMPpbhYB8erhHpATocpHUrp 6iLpjaV9pSuJif8DwFOZ =wZmv -----END PGP SIGNATURE-----
--- End Message ---
